Samsung Allshare Cast Hub

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
Purchase the Allshare Cast at Amazon

GPL

Teardown

Disassembly

UART

Connect your UART adapter to the highlighted pads and set your adapters baudrate to 115200.

Bypass autoboot

After connecting to UART, autoboot can be bypassed by typing any character. Button mashing will work.

Interrupting uboot allows us to review and change environment variables, like bootdelay, bootcmd or bootargs.

changing the bootdelay variable will make bypassing autoboot easier on subsequent boots.

>setenv bootdelay 5
>saveenv

Secure Boot Bypass

Reversing boots

After a quick look at environment variables, you'll find that bootcmd is set to call boots.

bootcmd=run ${INTFPRG}; boots

Hijacking init by changing the bootargs environment variable will not work here, as boots verifies bootargs before proceeding. Changing bootcmd will not work either, as boots loads two encrypted blobs from NAND into RAM, decrypts them, and then boots from them.

We can use bootm instead, which does not filter bootargs and will boot a kernel from a specified location in memory. Before this can be done, the kernel must also be decrypted. The cryptotest command is available in uboot and is included in GPL code. We can use cryptotest, nand and bootm to bypass secure boot on this device.

Lets take a look at the inputs required by cryptotest and nand read

nand read takes two arguments:

a NAND source address

a RAM destination address

optionally, a third argument, length, can be provided

cryptotest takes three arguments:

the RAM source address of the encrypted kernel

the RAM destination address of the decrypted output

the size of the data to be decrypted

Based on the information found in the GPL code, and the required arguments for the nand and cryptotest we will be able to decrypt and boot the kernel with the following commands:

Persistence

Despite there being only one persistent partition on this device, a script located at /cavium/rc which runs at boot, reads in the EXTRA_CMD firmware environment variable. It then executes the contents of the variable without filtering, as the rc script does for other environment variables.

By modifying this environment variable, achieving a persistent root shell is trivial.

PoC

The following PoC will automatically scan IPs to locate the AllShare Cast, exploit the CGI command injection to get a telnet shell, restart screen mirroring and automate a telnet session to gain persistent root.